The EU General Data Protection Regulation (universally known as GDPR) has become ubiquitous. Less understood is what GDPR means for disputes and contentious regulatory/enforcement matters. Virtually all evidence, whether in litigation or arbitration or relating to investigations carried out by regulators or enforcement authorities, will contain personal data.
We explore below three areas where litigators should be thinking about GDPR.
DISCLOSURE IN ALL ITS FORMS
Disclosure comes in many shapes and sizes. It has nearly as many names: discovery, disclosure, production of documents, inspection and so on. It encompasses not only the specific meaning in English civil litigation under the Civil Procedure Rules, but also whenever documents are collected, reviewed or produced in a legal, regulatory or enforcement context. This may be under compulsion or due to a desire to share those documents with another party, whether that be the opponent in litigation or arbitration or a local or foreign regulator or law enforcement agency.
When might data protection considerations arise?
The concept of personal data has always been drawn extremely widely under EU data protection laws and this remains the case under the GDPR. Personal data encompasses any information relating to an identified or identifiable natural person (expressly including a name, online identifiers (eg IP addresses) and genetic identity). Personal data is therefore not limited only to the identifiers themselves, but also includes almost anything linked to those identifiers. A data controller is the entity which, alone or jointly, determines the purposes and means of processing, and both the client and its lawyer will usually be data controllers. External lawyers will typically be data controllers: they have their own professional responsibilities (in terms of record keeping, the confidentiality of communications, etc.) and exercise a degree of autonomy (eg in determining what information to request from their client and what to process in order to provide legal advice). Almost any interaction with personal data will amount to processing, including collecting, organising, storing, altering, retrieving, using, and erasing. Given the wide scope of personal data and processing activities, data protection may touch disclosure at various stages. Chief among these are:
• when scoping what documents are to be reviewed;
• when any activity, for example the extraction, processing and upload of data, is carried out by a third party;
• during substantive review by a legal process outsourcing firm and/or a law firm;
• disclosure or inspection itself (eg to opponents in litigation, regulators, law enforcement agencies, etc.); or
• any transfer of documents or data from within the European Economic Area (EEA) to outside the EEA.
Personal data may, for example, relate to employees, customers or business contacts. Sensitive data (or “special category data”) needs to be handled with even greater care than personal data but is probably less likely to be present in standard commercial disputes. Sensitive data includes data revealing racial or ethnic origin or political opinions, or data concerning health, but does not include financial information (eg bank account or credit card numbers).
Below we illustrate three different scenarios with some of the potential issues and possible solutions.
English civil litigation
For disclosure in English civil litigation, the main risk, from a data protection perspective, is probably disclosing “irrelevant” or “non-responsive” personal data. That is, personal data that is not clearly caught by the disclosure regime ordered by the court. This risk can be mitigated by redaction in the same way that “irrelevant” confidential data may be redacted, although this is both difficult and costly. In particular, the definition of personal data means that redacting someone’s name is unlikely, of itself, to be sufficient to remove all personal data from any given document. It is highly likely that the individual can still be identified from other data and/or the context. Redaction has a place but it is neither a wholesale solution nor required in every instance.
U.S. discovery obligations on a company in the EEA
Imagine a UK company is subject to extensive U.S. discovery obligations by virtue of being a party to litigation in the U.S. court. Here the main tension is between compliance with, on the one hand, the U.S. Federal Rules of Civil Procedure and, on the other, the GDPR (as well as other laws, such as bank secrecy rules and “blocking statutes”). On the face of it, the GDPR (Article 48) requires that, without prejudice to any other grounds for cross-border transfers, any transfer or disclosure of personal data in response to a request from a court, tribunal or administrative authority of a non-EEA country must be based on an international agreement (such as a mutual legal assistance treaty) between the requesting state and the EU or a Member State. From a GDPR perspective you should therefore consider arguing for the U.S. discovery to proceed through the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (1970). Historically this has not always been palatable from a U.S. perspective due to the delays, costs and uncertainty of obtaining the evidence. U.S. judges typically lose patience with such processes and have been sceptical that significant penalties will be imposed on litigants for breach of data protection regimes in other jurisdictions.
Other considerations include:
• negotiating the scope of discovery (not necessarily that easy);
• seeking a Protective Order from the U.S. court to afford some level of protection to any data transferred (this is not a panacea); and/or
• redaction of personal data (likely to be difficult and costly).
Transfers or disclosures not authorised by Union law
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
U.S. regulator / law enforcement authority
In this example, a UK company receives a letter from the U.S. Securities and Exchange Commission (SEC) seeking voluntary assistance. The UK company is keen to cooperate with the SEC as far as possible.
Some of the issues from a GDPR perspective are:
• the lack of compulsion as a matter of English law; and • the fact that the data is to be transferred from the UK to outside the EEA.
As well as considering redaction and negotiation of the scope of the assistance with the SEC, from a GDPR perspective, at least, the UK company wants the request to be made from the SEC to the Financial Conduct Authority (FCA) and then for the FCA to require provision of the information under its statutory powers.
Impact of GDPR
The tension between data protection laws and disclosure in all its forms has existed for some time with companies frequently caught between a rock and a hard place, especially where foreign (especially U.S.) regulators and enforcement agencies are involved. Historically, companies have generally been more fearful of requesting agencies than the data protection authorities in EU Member States, although there have been recent examples of companies attempting to resist demands from U.S. law enforcement agencies (eg Microsoft Corporation, which receives tens of thousands of requests for customer data each year). However, the level of potential fines under the GDPR (up to 4% of annual worldwide turnover) is likely to shift the balance in favour of data protection and the risk-based assessment is going to become even more difficult to make. GDPR does not change fundamentally the factors that banks and corporations must consider, but it does make the decision more acute. It is notable that an outright ban on transfers to foreign regulators without prior approval from a Data Protection Authority, which appeared in early drafts, did not survive in the adopted text of the GDPR.
DATA SUBJECT ACCESS REQUESTS
Data subject access requests (DSARs) are the means by which individuals are entitled to obtain confirmation that their data is being processed, and access their personal data as well as certain other information (eg about the purposes for processing and whether the data will be given to any other organisations).
The information that can be obtained by DSARs is limited to personal data, and so is less wide-ranging than discovery/disclosure in civil litigation. However, actual and potential litigants often use DSARs as a tactic in litigation or as a “fishing expedition” to obtain either pre-action disclosure or disclosure whilst proceedings are on-going. In Dawson-Damer v Taylor Wessing, when considering a DSAR made during on-going litigation, the UK Court of Appeal held that the motivation behind a DSAR is irrelevant. Provided the DSAR is not an abuse of the court’s process or does not result in a conflict of interest, the court will not use the purpose of a DSAR as a reason to limit the exercise of its discretion to compel an organisation to respond. However, in light of the Court of Appeal’s decision in Ittihadieh v 5-11 Cheyne Gardens and Deer v Oxford University, the “absence of a legitimate reason” for a DSAR may still be relevant to whether the court exercises its discretion to order compliance with that DSAR (even though a collateral purpose of assisting in litigation was held not to be an absolute bar). Further, a reduction in the costs awarded to a data subject may also be ordered where DSARs are “essentially antagonistic” or amount to “low level attritional warfare” against the data controller.
Impact of GDPR
GDPR introduces a number of changes to the procedure for making a DSAR. These are generally data subject friendly and may make it more burdensome for organisations receiving DSARs:
(i) Fees: Organisations will no longer be able to charge the current GBP10 fee, which (though minimal) did act as a limited deterrent.
(ii) Unfounded or excessive requests: Where a DSAR is “manifestly unfounded or excessive”, the organisation can charge a fee or refuse to respond. The burden is on the organisation to show that the DSAR was manifestly unfounded or excessive in character.
(iii) Time limit for response: An organisation must respond to a DSAR without undue delay and, in any event, within one month of receipt. This is shorter than the current 40-day period that UK organisations have been used to. The one-month period can be extended to three months, taking into account the complexity and number of DSARs, in which case the data subject must be informed of the extension (including reasons) within one month of receipt of the DSAR.
(iv) Content of response: As well as access to the data subject’s personal data, the right of access extends to other information, including: the envisaged storage period for the personal data; the right to request rectification, erasure or restriction of processing; the right to lodge a complaint with the Data Protection Authority; and, if automated decision-making is used, meaningful information on the logic involved.
(v) Electronic DSARs: It must be possible to make DSARs electronically and, unless otherwise requested by the data subject, the organisation must provide the information in a commonly used electronic form. The increased fines under GDPR are theoretically available for breaches of data subjects’ right of access.
GROUP LITIGATION / REPRESENTATION OF DATA SUBJECTS
In Various Claimants v WM Morrisons, the UK High Court found Morrisons vicariously liable for a rogue employee’s breach of current UK data protection law, the Data Protection Act 1998 (DPA 1998).
The Morrisons case
The decision followed a rogue employee’s intentional disclosure of personal data relating to around 100,000 of Morrisons’ employees in early 2014. The employee was convicted of criminal offences under the Computer Misuse Act 1990 and the DPA 1998, and was sentenced to eight years’ imprisonment. A group litigation claim was brought against Morrisons by over 5,500 employees under the DPA 1998 and at common law (for breach of confidence and misuse of private information) seeking compensation for distress.
The High Court accepted that Morrisons could not be directly liable under the DPA 1998, primarily because it was not the data controller at the time of any of the breaches (the rogue employee was). However, Morrisons was found vicariously liable. Notwithstanding that the disclosure took place outside working hours and from the employee’s personal device, there was "sufficient connection" between his employment and the breach for vicarious liability to arise.
The Morrisons case demonstrates that vicarious liability is, in principle, available under the DPA 1998 and for other claims, although Morrisons was granted permission to appeal.
Impact of GDPR
The Morrisons case is the first data breach group litigation claim to come before the English Courts and raises the prospect of similar group litigation claims. The advent of GDPR and increasing data subject awareness means claims of this nature will likely increase in number. Under GDPR, the overall analysis and exposure of employers will not change. However, GDPR contains more detailed requirements surrounding data security and introduces mandatory data breach notification to the Data Protection Authority and also, if the breach is sufficiently serious, to the affected individuals.
GDPR also encourages group litigation of the type brought against Morrisons. In particular, provision has been made for data subjects to mandate a consumer protection body to exercise their rights and bring claims on their behalf for breaches of GDPR. Such bodies may include NOYB (or ‘None of Your Business’), the non-profit organisation started in 2017 by Austrian privacy activist Max Schrems to bring consumer privacy cases to court.